だからこれが以下のIPフィルタと関連があるようです。

だからこれが以下のIPフィルタと関連があるようです。

ローカルネットワーク実験を試しましたが、名前空間ネットワーク内でpingを実行できませんでした。

私はFedora 37を使用しています。

Linux dmitry-desktop 6.1.18-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Mar 11 16:09:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

次のエラーが発生します。

➜ sudo ip netns exec netns-test0 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered

設定

➜ sudo ip netns add netns-test0                             
➜ sudo ip netns add netns-test1
➜ ls -la /var/run/netns
total 0
drwxr-xr-x.  2 root root   80 Mar 22 13:42 .
drwxr-xr-x. 63 root root 1.7K Mar 22 12:55 ..
-r--r--r--.  1 root root    0 Mar 22 13:42 netns-test0
-r--r--r--.  1 root root    0 Mar 22 13:42 netns-test1

➜ sudo ip link add eth00 type veth peer name eth01           
➜ sudo ip link add eth10 type veth peer name eth11 
➜ sudo ip link set eth00 up                       
➜ sudo ip link set eth01 up
➜ sudo ip link set eth01 netns netns-test0
➜ sudo ip link set eth11 netns netns-test1
➜ sudo ip netns exec netns-test0 ip link set lo up
➜ sudo ip netns exec netns-test0 ip link set eth01 up


➜ sudo ip netns exec netns-test0 ip addr 10.10.10.10/24 dev eth01
Command "10.10.10.10/24" is unknown, try "ip address help".

➜ sudo ip netns exec netns-test0 ip addr add 10.10.10.10/24 dev eth01
➜ sudo ip netns exec netns-test1 ip link set lo up                  
➜ sudo ip netns exec netns-test1 ip link set eth11 up               
➜ sudo ip netns exec netns-test1 ip addr add 10.10.10.11/24 dev eth11
➜ sudo ip link add name br0 type bridge
➜ sudo ip addr add 10.10.10.1/24 brd + dev br0 
➜ sudo ip link set br0 up                     

➜ sudo ip link set eth00 master br0
➜ sudo ip link set eth10 master br0

➜ sudo bridge link show br0        
20: eth00@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2 
22: eth10@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2 

➜ sudo iptables -A FORWARD -i br0 -j ACCEPT
➜ sudo ip link set eth00 master br0

したがって、ルートネームスペースですべてのデバイスとbr0をpingできます。

➜ ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.057 ms


➜ ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.047 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=0.060 ms


➜ ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.053 ms

ただし、ネームスペースネットワーク内でpingを開始すると、パケットはフィルタリングされます。

➜ sudo ip netns exec netns-test0 ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.021 ms

➜ sudo ip netns exec netns-test0 ping 10.10.10.1 
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.063 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.070 ms

➜ sudo ip netns exec netns-test0 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered

➜ sudo ip netns exec netns-test1 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.018 ms
64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 10.10.10.11: icmp_seq=3 ttl=64 time=0.036 ms

➜ sudo ip netns exec netns-test1 ping 10.10.10.1 
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.075 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=0.075 ms

took 2s 
➜ sudo ip netns exec netns-test1 ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
From 10.10.10.1 icmp_seq=4 Packet filtered

took 3s 
✗  sudo ip netns exec netns-test1 ping 8.8.8.8    
ping: connect: Network is unreachable


➜ sudo ip netns exec netns-test0 ping 8.8.8.8
ping: connect: Network is unreachable

➜ sudo ip -all netns exec ip route                             

netns: netns-test1
10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11 

netns: netns-test0
10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10 


➜ sudo ip -all netns exec ip route add default via 10.10.10.1

netns: netns-test1
netns: netns-test0

➜ sudo ip -all netns exec ip route                           

netns: netns-test1
default via 10.10.10.1 dev eth11 
10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11 

netns: netns-test0
default via 10.10.10.1 dev eth01 
10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10 

➜ sudo ip netns exec netns-test0 ping 8.8.8.8              
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered

私のiptablesの設定

➜ _ iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   95  7810 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   95  7810 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   13  1226 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
   15   956 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
   67  5628 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   15   956 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
   95  7810 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
   15   956 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   95  7810 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  

ファイアウォール:

➜ firewall-cmd --list-all    
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: br0 ens1f1 eth01 eth11 vpn0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

sudo nft リストルールセット

table inet firewalld {
    ct helper helper-netbios-ns-udp {
        type "netbios-ns" protocol udp
        l3proto ip
    }

    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_ZONES
    }

    chain mangle_PREROUTING_POLICIES_pre {
        jump mangle_PRE_policy_allow-host-ipv6
    }

    chain mangle_PREROUTING_ZONES {
        iifname "br0" goto mangle_PRE_FedoraWorkstation
        iifname "eth11" goto mangle_PRE_FedoraWorkstation
        iifname "eth01" goto mangle_PRE_FedoraWorkstation
        iifname "vpn0" goto mangle_PRE_FedoraWorkstation
        iifname "ens1f1" goto mangle_PRE_FedoraWorkstation
        iifname "docker0" goto mangle_PRE_docker
        goto mangle_PRE_FedoraWorkstation
    }

    chain mangle_PREROUTING_POLICIES_post {
    }

    chain nat_PREROUTING {
        type nat hook prerouting priority dstnat + 10; policy accept;
        jump nat_PREROUTING_ZONES
    }

    chain nat_PREROUTING_POLICIES_pre {
        jump nat_PRE_policy_allow-host-ipv6
    }

    chain nat_PREROUTING_ZONES {
        iifname "br0" goto nat_PRE_FedoraWorkstation
        iifname "eth11" goto nat_PRE_FedoraWorkstation
        iifname "eth01" goto nat_PRE_FedoraWorkstation
        iifname "vpn0" goto nat_PRE_FedoraWorkstation
        iifname "ens1f1" goto nat_PRE_FedoraWorkstation
        iifname "docker0" goto nat_PRE_docker
        goto nat_PRE_FedoraWorkstation
    }

    chain nat_PREROUTING_POLICIES_post {
    }

    chain nat_POSTROUTING {
        type nat hook postrouting priority srcnat + 10; policy accept;
        jump nat_POSTROUTING_ZONES
    }

    chain nat_POSTROUTING_POLICIES_pre {
    }

    chain nat_POSTROUTING_ZONES {
        oifname "br0" goto nat_POST_FedoraWorkstation
        oifname "eth11" goto nat_POST_FedoraWorkstation
        oifname "eth01" goto nat_POST_FedoraWorkstation
        oifname "vpn0" goto nat_POST_FedoraWorkstation
        oifname "ens1f1" goto nat_POST_FedoraWorkstation
        oifname "docker0" goto nat_POST_docker
        goto nat_POST_FedoraWorkstation
    }

    chain nat_POSTROUTING_POLICIES_post {
    }

    chain nat_OUTPUT {
        type nat hook output priority -90; policy accept;
        jump nat_OUTPUT_POLICIES_pre
        jump nat_OUTPUT_POLICIES_post
    }

    chain nat_OUTPUT_POLICIES_pre {
    }

    chain nat_OUTPUT_POLICIES_post {
    }

    chain filter_PREROUTING {
        type filter hook prerouting priority filter + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . mark . iif oif missing drop
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ct state invalid drop
        jump filter_INPUT_ZONES
        reject with icmpx admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ct state invalid drop
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_FORWARD_ZONES
        reject with icmpx admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        ct state { established, related } accept
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_OUTPUT_POLICIES_pre
        jump filter_OUTPUT_POLICIES_post
    }

    chain filter_INPUT_POLICIES_pre {
        jump filter_IN_policy_allow-host-ipv6
    }

    chain filter_INPUT_ZONES {
        iifname "br0" goto filter_IN_FedoraWorkstation
        iifname "eth11" goto filter_IN_FedoraWorkstation
        iifname "eth01" goto filter_IN_FedoraWorkstation
        iifname "vpn0" goto filter_IN_FedoraWorkstation
        iifname "ens1f1" goto filter_IN_FedoraWorkstation
        iifname "docker0" goto filter_IN_docker
        goto filter_IN_FedoraWorkstation
    }

    chain filter_INPUT_POLICIES_post {
    }

    chain filter_FORWARD_POLICIES_pre {
    }

    chain filter_FORWARD_ZONES {
        iifname "br0" goto filter_FWD_FedoraWorkstation
        iifname "eth11" goto filter_FWD_FedoraWorkstation
        iifname "eth01" goto filter_FWD_FedoraWorkstation
        iifname "vpn0" goto filter_FWD_FedoraWorkstation
        iifname "ens1f1" goto filter_FWD_FedoraWorkstation
        iifname "docker0" goto filter_FWD_docker
        goto filter_FWD_FedoraWorkstation
    }

    chain filter_FORWARD_POLICIES_post {
    }

    chain filter_OUTPUT_POLICIES_pre {
    }

    chain filter_OUTPUT_POLICIES_post {
    }

    chain filter_IN_FedoraWorkstation {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_FedoraWorkstation_pre
        jump filter_IN_FedoraWorkstation_log
        jump filter_IN_FedoraWorkstation_deny
        jump filter_IN_FedoraWorkstation_allow
        jump filter_IN_FedoraWorkstation_post
        jump filter_INPUT_POLICIES_post
        meta l4proto { icmp, ipv6-icmp } accept
        reject with icmpx admin-prohibited
    }

    chain filter_IN_FedoraWorkstation_pre {
    }

    chain filter_IN_FedoraWorkstation_log {
    }

    chain filter_IN_FedoraWorkstation_deny {
    }

    chain filter_IN_FedoraWorkstation_allow {
        ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
        tcp dport 22 ct state { new, untracked } accept
        udp dport 137 ct helper set "helper-netbios-ns-udp"
        udp dport 137 ct state { new, untracked } accept
        udp dport 138 ct state { new, untracked } accept
        ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
        ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
        udp dport 1025-65535 ct state { new, untracked } accept
        tcp dport 1025-65535 ct state { new, untracked } accept
    }

    chain filter_IN_FedoraWorkstation_post {
    }

    chain nat_POST_FedoraWorkstation {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_FedoraWorkstation_pre
        jump nat_POST_FedoraWorkstation_log
        jump nat_POST_FedoraWorkstation_deny
        jump nat_POST_FedoraWorkstation_allow
        jump nat_POST_FedoraWorkstation_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_FedoraWorkstation_pre {
    }

    chain nat_POST_FedoraWorkstation_log {
    }

    chain nat_POST_FedoraWorkstation_deny {
    }

    chain nat_POST_FedoraWorkstation_allow {
    }

    chain nat_POST_FedoraWorkstation_post {
    }

    chain filter_FWD_FedoraWorkstation {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_FedoraWorkstation_pre
        jump filter_FWD_FedoraWorkstation_log
        jump filter_FWD_FedoraWorkstation_deny
        jump filter_FWD_FedoraWorkstation_allow
        jump filter_FWD_FedoraWorkstation_post
        jump filter_FORWARD_POLICIES_post
        reject with icmpx admin-prohibited
    }

    chain filter_FWD_FedoraWorkstation_pre {
    }

    chain filter_FWD_FedoraWorkstation_log {
    }

    chain filter_FWD_FedoraWorkstation_deny {
    }

    chain filter_FWD_FedoraWorkstation_allow {
    }

    chain filter_FWD_FedoraWorkstation_post {
    }

    chain nat_PRE_FedoraWorkstation {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_FedoraWorkstation_pre
        jump nat_PRE_FedoraWorkstation_log
        jump nat_PRE_FedoraWorkstation_deny
        jump nat_PRE_FedoraWorkstation_allow
        jump nat_PRE_FedoraWorkstation_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_FedoraWorkstation_pre {
    }

    chain nat_PRE_FedoraWorkstation_log {
    }

    chain nat_PRE_FedoraWorkstation_deny {
    }

    chain nat_PRE_FedoraWorkstation_allow {
    }

    chain nat_PRE_FedoraWorkstation_post {
    }

    chain mangle_PRE_FedoraWorkstation {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_FedoraWorkstation_pre
        jump mangle_PRE_FedoraWorkstation_log
        jump mangle_PRE_FedoraWorkstation_deny
        jump mangle_PRE_FedoraWorkstation_allow
        jump mangle_PRE_FedoraWorkstation_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_FedoraWorkstation_pre {
    }

    chain mangle_PRE_FedoraWorkstation_log {
    }

    chain mangle_PRE_FedoraWorkstation_deny {
    }

    chain mangle_PRE_FedoraWorkstation_allow {
    }

    chain mangle_PRE_FedoraWorkstation_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain nat_PRE_policy_allow-host-ipv6 {
        jump nat_PRE_policy_allow-host-ipv6_pre
        jump nat_PRE_policy_allow-host-ipv6_log
        jump nat_PRE_policy_allow-host-ipv6_deny
        jump nat_PRE_policy_allow-host-ipv6_allow
        jump nat_PRE_policy_allow-host-ipv6_post
    }

    chain nat_PRE_policy_allow-host-ipv6_pre {
    }

    chain nat_PRE_policy_allow-host-ipv6_log {
    }

    chain nat_PRE_policy_allow-host-ipv6_deny {
    }

    chain nat_PRE_policy_allow-host-ipv6_allow {
    }

    chain nat_PRE_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }

    chain filter_IN_docker {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_docker_pre
        jump filter_IN_docker_log
        jump filter_IN_docker_deny
        jump filter_IN_docker_allow
        jump filter_IN_docker_post
        jump filter_INPUT_POLICIES_post
        accept
    }

    chain filter_IN_docker_pre {
    }

    chain filter_IN_docker_log {
    }

    chain filter_IN_docker_deny {
    }

    chain filter_IN_docker_allow {
    }

    chain filter_IN_docker_post {
    }

    chain nat_POST_docker {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_docker_pre
        jump nat_POST_docker_log
        jump nat_POST_docker_deny
        jump nat_POST_docker_allow
        jump nat_POST_docker_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_docker_pre {
    }

    chain nat_POST_docker_log {
    }

    chain nat_POST_docker_deny {
    }

    chain nat_POST_docker_allow {
    }

    chain nat_POST_docker_post {
    }

    chain filter_FWD_docker {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_docker_pre
        jump filter_FWD_docker_log
        jump filter_FWD_docker_deny
        jump filter_FWD_docker_allow
        jump filter_FWD_docker_post
        jump filter_FORWARD_POLICIES_post
        accept
    }

    chain filter_FWD_docker_pre {
    }

    chain filter_FWD_docker_log {
    }

    chain filter_FWD_docker_deny {
    }

    chain filter_FWD_docker_allow {
        oifname "docker0" accept
    }

    chain filter_FWD_docker_post {
    }

    chain nat_PRE_docker {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_docker_pre
        jump nat_PRE_docker_log
        jump nat_PRE_docker_deny
        jump nat_PRE_docker_allow
        jump nat_PRE_docker_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_docker_pre {
    }

    chain nat_PRE_docker_log {
    }

    chain nat_PRE_docker_deny {
    }

    chain nat_PRE_docker_allow {
    }

    chain nat_PRE_docker_post {
    }

    chain mangle_PRE_docker {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_docker_pre
        jump mangle_PRE_docker_log
        jump mangle_PRE_docker_deny
        jump mangle_PRE_docker_allow
        jump mangle_PRE_docker_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_docker_pre {
    }

    chain mangle_PRE_docker_log {
    }

    chain mangle_PRE_docker_deny {
    }

    chain mangle_PRE_docker_allow {
    }

    chain mangle_PRE_docker_post {
    }
}
table ip nat {
    chain DOCKER {
        iifname "docker0" counter packets 0 bytes 0 return
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 4 bytes 230 masquerade 
    }

    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        fib daddr type local counter packets 22340 bytes 10759965 jump DOCKER
    }

    chain OUTPUT {
        type nat hook output priority -100; policy accept;
        ip daddr != 127.0.0.0/8 fib daddr type local counter packets 42 bytes 3674 jump DOCKER
    }
}
table ip filter {
    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
        iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2
        counter packets 98 bytes 8062 return
    }

    chain DOCKER-ISOLATION-STAGE-2 {
        oifname "docker0" counter packets 0 bytes 0 drop
        counter packets 15 bytes 956 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter packets 98 bytes 8062 jump DOCKER-USER
        counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1
        oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept
        oifname "docker0" counter packets 0 bytes 0 jump DOCKER
        iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept
        iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
        iifname "br0" counter packets 70 bytes 5880 accept
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        iifname "br0" counter packets 0 bytes 0 accept
        iifname "br0" counter packets 0 bytes 0 accept
    }

    chain DOCKER-USER {
        counter packets 98 bytes 8062 return
    }
}


だからこれが以下のIPフィルタと関連があるようです。

➜ sudo nft list table ip filter   
table ip filter {
    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
        iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2
        counter packets 98 bytes 8062 return
    }

    chain DOCKER-ISOLATION-STAGE-2 {
        oifname "docker0" counter packets 0 bytes 0 drop
        counter packets 15 bytes 956 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter packets 98 bytes 8062 jump DOCKER-USER
        counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1
        oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept
        oifname "docker0" counter packets 0 bytes 0 jump DOCKER
        iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept
        iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
        iifname "br0" counter packets 70 bytes 5880 accept
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        counter packets 0 bytes 0
        iifname "br0" counter packets 0 bytes 0 accept
        iifname "br0" counter packets 0 bytes 0 accept
    }

    chain DOCKER-USER {
        counter packets 98 bytes 8062 return
    }
}

答え1

IPv4への参照を制限します(IPv6またはARPも影響を受けますが、OPはIPv6を使用せず、ARPのデフォルトのファイアウォールはありません)。

ルーストアバウト依存してロードカーネルモジュールbr_netfilter同じLAN上の2つのコンテナ間でもコンテナの分離を適切に制御します。

これにより、NetfilterはIPv4フックを呼び出すことができます。ブリッジIPv4タイプのフレーム。これは文書化されていますが、iptablesnftables同じNetfilter APIと対応するIPv4フック(したがってip純粋なIPv4ファミリとinetハイブリッドIPv4 + IPv6ファミリ)を使用すると、同じ影響を受けます。結果は以下の通りです。

一般ネットワークのNetfilterとパケットフロー

完全にロードされるとbr_netfilteriptablesそしてnftablesIPv4ネットワーク層(緑色の領域の緑色のボックス)で一般的に使用されるIPv4コンポーネント(小さな緑色のボックス)は、ブリッジリンク層の場合(青い領域の緑色のボックス)にも使用されます。

だからブリッジ額縁ファイアウォールで保護iptablesフィルター/FORWARDチェーン。 OPは通常、不要な作業を行いました。br_netfilterブリッジされたフレームはiptablesのフィルタ/転送を通過しません。

sudo iptables -A FORWARD -i br0 -j ACCEPT

これにより、FORWARDチェーンでDockerによってインストールされたデフォルトのDROPポリシーをバイパスできます。ブリッジフレーム。実際にDockerが登場したら、DOCKER-USER代わりにこのルールをチェーンに挿入(追加ではない)する必要があります。

sudo iptables -I DOCKER-USER -i br0 -j ACCEPT

ただし、同じ操作を実行する別のフックによってファイアウォールが制限されます。ここでは純粋です。nftablesこの表を使用してFirewalldによってインストールされますinet firewalld。この部分はブリッジパケットを拒否します。

table inet firewalld {

...

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;

...

        reject with icmpx admin-prohibited
    }

最後に、パケットは最初(iptables)転送フックがありますが、2番目のフックでは拒否されました(Firewalldnftables)フロントフック。

iptablesここでは、(OPのコマンドに加えて)rootとして実行し、次を使用します。nftables:

nft insert rule inet firewalld filter_FORWARD iifname br0 oifname br0 accept

2番目のフックのフレームもルールが上書きされるまで許可されます。この設定は、Firewalldの独自の構成に追加する必要があります。

FirewalldがOP設定に変更されたFedora 37コンテナ(およびbr_netfilterホストにロードされたモジュール)でテストする方法は次のとおりです。 Firewalldがインターフェイスの転送許可ルールを追加し、br0pingが機能するようにする方法は次のとおりです。

firewall-cmd --zone=FedoraWorkstation --remove-interface=br0
firewall-cmd --zone=FedoraWorkstation --remove-interface=br0 --permanent
firewall-cmd --zone=trusted --add-interface=br0
firewall-cmd --zone=trusted --add-interface=br0 --permanent

適切なセキュリティ規則を持ついくつかのカスタム領域を使用する必要があります。

一部のStack Exchangeリンクでは、関連するDockerの質問に回答しました。

1 2 サム 4

関連情報